Kuluoz is a known botnet which was released mid 2012 and was known by different names such as weelsof, win32, Dofoil, etc. Kuluoz is usually spread by sending suspicious mail to the target user, and later the traffic leaving the network consists of POST requests encoded in a unique format, making it difficult to determine the location of the host or their purpose.
Normally the malware is disguised as an attachment to an email. The attachment contains a file masquerading as a Word document that contains details about an online shopping invoice.
The Kuluoz Backdoor acts as gateway to bigger and more dangerous malware. Once it has infected a system, it leaves the system vulnerable to other forms of malware infections. The Kuluoz infection is usually part of a large phishing campaign that lures users to download malicious attachments. Once the computer is infected, the malware proceeds to communicate with its C&C servers. It then receives instructions to download other malware onto the host, such as FAKEAV and the Zero Access Trojan.
The communication between the C&C servers and the backdoor itself is encrypted. This makes it much harder to pinpoint the location of the servers. The C&C servers can make the malware do several things on the host machines, including update itself, modify registry keys, delete critical files, and steal files if required.
Kuluoz is a very common dropper that can very easily infect systems through mass email spam campaigns. The malware also attempts to steal several types of documents from a system, including Word, Excel and Power Point presentations.
During execution of the malware, it was found that a Word document named Delivery-Information-ID-004588020234-Z31 was created by the sample.
The suspected file looks like a harmless Word document
Later the file was uploaded to Cuckoo Sandbox and it identified the IOC of the sample. The detection ratio was very high, so the file was confirmed as a malware.
As the sample is packed, we need to know what kind of packer is used to remain obfuscated. We can use many tools like Trid, PeiD, etc. to identify the packer. Here I have used a custom script to extract metadata like file size, sections, import tables, etc. from the file. Now the file may be packed using an encryption mechanism. In order to carry out further analysis, the files must first be decrypted.
The file seems to be packed using the UPX packer
Now the file is decrypted and need to execute the malware sample in our custom virtual environment. On running the file we will immediately see a notepad window popup with a strange message in it.
Notepad shows a cryptic error message
The text file that is open is saved on the user’s desktop and has the same name as the name of the file itself, in this case Delivery-Information-ID-004588020234-Z31.txt.
Viewing the list of open processes in the system, it is found that a duplicate process called svchost.exe is executing and has spawned the Notepad window depicted above.
A fake svchost.exe is revealed
Svchost.exe is actually a normal Windows process, but in this case the malware attempts to mask its presence by taking the name of such a process.
While the malware is executing, the network traffic is monitored. Some traffic in the form of POST requests that are encoded in a unique format was detected to prevent us from finding out the actual data being sent out. The data is being sent to two external IP addresses.
Encoded POST requests leaving the system
At this point, a memory dump of the system was taken to perform memory analysis on the infected host. The first step is to find where in the memory the malicious file is residing. This is easily revealed using our memory analysis tool.
A quick memory scan reveals an embedded executable in a process
An embedded executable is found residing in the process called svchost.exe with a PID (Process ID) of 2316.
The memory dump is searched for artifacts that could indicate malicious software. This is done by looking for mutexes in the memory. The mutexes created by the malware begin with CTF and are followed by several long random characters.
A memory scan is then run on the process in question, revealing several http requests including the keywords “You fag!!”
Looking through the memory of the svchost process, it is found that a malicious dll has been injected into it. Finally the injected process is dumped so to perform further analysis on it.
Dll injected into svchost.exe
Malfind command dumps malicious code in normal processes
Examining the dumped files through a hex editor reveals several more instances of the Keyword “You Fag”.
This keyword is used as a key for encoding the communications that leave the infected host.
Key used to encode communications
The dump also reveals information on how the malware communicates with its C&C servers. It uses XML notation to send and receive commands. These commands are encrypted using the RC4 algorithm.
The URL path is hardcoded as “/index.php?r=gate”.
Dump showing XML request and hardcoded URL
The XML API used by the malware has several tags. The functions of the tags are listed below:
|<knock>||XML top element open|
|<group>%s</group>||Group ID string|
|<version>%d</version>||Hardcoded bot version|
|<status>%d</status>||Status of last command|
|<debug>%s</debug>||Environment information such as OS version, 64/32bit, firewall, antivirus|
|</knock>||XML top element close|
In conclusion, Kuluoz is a dangerous botnet which is spread via spam emails. Strong spam filters need to be deployed, which can reduce phishing and spam emails from reaching the victim’s inbox. Moreover, email servers need to be configured to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. As always, employees need to be trained not to open attachments unless they are expecting them, and monitoring network connectivity to the below IP address is also recommended.